SFTP | DCMSThttps://portfolio.devcrumbs.com/tag/sftp/SFTPWowchemy (https://wowchemy.com)en-usTue, 31 Mar 2015 00:00:00 +0000https://portfolio.devcrumbs.com/media/icon_hu28290437db960aa4e7d19bb9f7230401_6937_512x512_fill_lanczos_center_3.pngSFTPhttps://portfolio.devcrumbs.com/tag/sftp/SFTP Jailedhttps://portfolio.devcrumbs.com/sftp-jailed/Tue, 31 Mar 2015 00:00:00 +0000https://portfolio.devcrumbs.com/sftp-jailed/<p>To configure your server to use a jailed user on SFTP you should do:</p> <ol> <li> <p>Edit the sshd_config file</p> <p>We need to comment the following line:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">Subsystem sftp /usr/libexec/openssh/sftp-server </span></span></code></pre></div><p>And add the uncomment line, your modification will be same as:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl"><span class="c1"># Subsystem sftp /usr/libexec/openssh/sftp-server</span> </span></span><span class="line"><span class="cl">Subsystem sftp internal-sftp </span></span></code></pre></div><p>Also, at the end of the file we should to add the next lines:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">Match Group sftponly </span></span><span class="line"><span class="cl">ChrootDirectory %h </span></span><span class="line"><span class="cl">X11Forwarding no </span></span><span class="line"><span class="cl">AllowTCPForwarding no </span></span><span class="line"><span class="cl">ForceCommand internal-sftp </span></span></code></pre></div><p>After save all the changes, we must restart the sshd daemon</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">service sshd restart </span></span></code></pre></div></li> <li> <p>Add <strong>sftponly</strong> group</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">groupadd sftponly </span></span></code></pre></div><ol> <li>Add jailed user and add to <strong>sftponly</strong> group</li> </ol> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">useradd -m USERNAME </span></span><span class="line"><span class="cl">passwd USERNAME </span></span><span class="line"><span class="cl">usermod -aG sftponly,apache USERNAME </span></span></code></pre></div></li> <li> <p><strong>IMPORTANT</strong>: Create directory and establish correct permissions</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">chown root:root /home/USERNAME </span></span><span class="line"><span class="cl">chmod <span class="m">755</span> /home/USERNAME </span></span><span class="line"><span class="cl">mkdir /home/USERNAME/TEST.DOMAIN.COM </span></span><span class="line"><span class="cl">chown apache:apache /home/USERNAME/TEST.DOMAIN.COM </span></span><span class="line"><span class="cl">chmod <span class="m">775</span> /home/USERNAME/TEST.DOMAIN.COM </span></span><span class="line"><span class="cl">mkdir /var/www/vhost/TEST.DOMAIN.COM </span></span><span class="line"><span class="cl">chown apache:apache /var/www/vhost/TEST.DOMAIN.COM </span></span><span class="line"><span class="cl">chmod <span class="m">775</span> /var/www/vhost/TEST.DOMAIN.COM </span></span></code></pre></div><p>Note: <em>If you have any connection problem please double check the permissions on the folders and check the logs on /var/log/secure</em></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">tail -f /var/log/secure </span></span></code></pre></div></li> <li> <p>Mount DocumentRoot path on jailed user home directory</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">mount -o bind,noatime /var/www/vhost/TEST.DOMAIN.COM/ /home/USERNAME/TEST.DOMAIN.COM </span></span></code></pre></div></li> <li> <p>Make the mount point permanent, editing the fstab file:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">vi /etc/fstab </span></span></code></pre></div><p>Add the mount point at the end of the file:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">/var/www/vhost/TEST.DOMAIN.COM/ /home/USERNAME/TEST.DOMAIN.COM none bind,noatime <span class="m">0</span> <span class="m">0</span> </span></span></code></pre></div><p>Save and exit</p> </li> <li> <p>Test connection:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-shell" data-lang="shell"><span class="line"><span class="cl">sftp SERVERIP </span></span></code></pre></div></li> </ol>